| CPC G06F 21/54 (2013.01) [G06F 21/554 (2013.01); G06F 2221/033 (2013.01)] | 9 Claims |
|
1. A method for protecting a program in a computer system, the method comprising:
when a subroutine of said program is called, pushing a return address on to a stack to start forming a stack frame;
when pushing said return address, generating a checksum for said stack frame;
each time a predetermined opcode is detected for said subroutine, updating said checksum according to an operand associated with said predetermined opcode;
if the predetermined opcode is a pop opcode, in addition to said updating, determining whether the operand associated with said pop opcode is said return address;
if it is determined that said operand is said return address, verifying said checksum before executing said predetermined opcode in order to detect an attack;
when generating said checksum, initializing said checksum to have a predetermined value and adding said return address's value to said predetermined value;
when updating said checksum;
if said predetermined opcode is a push opcode, adding said operand to the current value of said checksum;
if said predetermined opcode is a load opcode or a pop opcode, subtracting said operand from the current value of said checksum;
when verifying said checksum, checking whether the current value of said checksum is equal to said predetermined value; and
if said checksum is equal to said predetermined value, determining that there is no attack; otherwise, determining that there is an attack.
|